Agentic AI is entering a phase where raw autonomy is no longer the headline feature—operational affordability is. Not affordability in the narrow sense of token prices, but in the broader “true cost” sense: every additional autonomous action creates a bill in compute and a shadow bill in identity, security, governance, and audit. The week’s signals—Google’s push toward always-on Gemini Spark, enterprise vendors extending policy and identity propagation to agents, and research demonstrating how tiny text edits can subvert skill registries—fit together as one story: the marginal cost of deploying another agent is becoming increasingly dominated by control-plane overhead, not just model inference.
From “Can it act?” to “Can it be allowed to act?”
The center of gravity is moving from capability to permissioning. Early agent discourse treated tools as a capability unlock: connect an LLM to email, calendar, files, ticketing, and suddenly the agent “does work.” In production environments, the more important question is what the agent is authorized to do, on whose behalf, under what policies, and with what evidence trail.
Databricks’ expansion of Unity Catalog governance to agents is emblematic of this shift: it frames agent operations as something that must be governed at runtime via identity-aware access, policy enforcement, and observability across model calls and tool invocations. This is not an optional “enterprise add-on”; it is a response to a structural property of agents. Agents do not merely generate text—they make decisions and trigger actions across systems of record. That transforms governance from a static “who can read what table” problem into a dynamic “who/what can invoke which capability, with which parameters, in which context” problem.
On-behalf-of identity becomes the default expectation
A key mechanism in the Databricks framing is on-behalf-of identity propagation: the agent inherits the invoking user’s permissions, and logs tie activity to both user and agent identities. That design pattern is emerging because it maps to the real compliance question auditors and security teams ask: not “what did the model do,” but “who caused it to happen, through which delegated identity, and what did it touch?”
The alternative—agents operating under coarse shared service accounts—creates exactly the kind of privilege sprawl and attribution gaps that modern IAM programs spent the last decade trying to eliminate. The fact that governance vendors are making identity propagation a headline feature is evidence that enterprises are already hitting this wall.
The identity “tax” is no longer hypothetical—it is budgeted
Dark Reading’s summary of Omdia research makes the cost shift explicit: AI agents create a new identity population that needs authentication, authorization, lifecycle management, and governance. The notable detail is not simply that identity teams see the risk, but that budgets are being re-labeled to pay for it: a meaningful fraction of leaders are funding identity security for agents from standalone AI budgets or separate AI allocations.
This is the beginning of a predictable accounting truth in the agentic economy: agent automation does not replace labor with tokens; it replaces labor with tokens plus controls. When projects move from demos to durable automation, spend migrates toward:
Identity lifecycle and entitlement management for non-human actors
Agents are long-running and often operate across multiple systems. That implies provisioning, rotation, and deprovisioning for credentials; assignment and review of entitlements; and segmentation between agent roles (e.g., “inbox triage agent” should not share a boundary with “payments agent”). The Omdia-driven “identity tax” language lands because it matches how enterprises actually buy risk reduction: through IAM tooling, policy engines, monitoring, and audit support.
Auditability and observability as operating costs
Once an agent can act, logs become evidence. Observability is no longer just debugging; it becomes the mechanism by which organizations prove policy compliance, investigate incidents, and assign responsibility. Databricks’ emphasis on logging across model calls and tool invocations points to a future where “agent operations” resembles SRE: you do not just deploy agents; you operate them.
The skill supply chain problem turns prompts into an attack surface
The Register’s reporting on semantic supply-chain attacks against skill registries adds the missing threat model: in agent ecosystems, natural-language artifacts can behave like executable control surfaces. If skills are discovered and selected based on text descriptions (e.g., SKILL.md), then minor edits can influence which skills are chosen and what an agent believes it is authorized to do.
The disturbing point is not that prompt injection exists, but that the registry layer becomes a marketplace-shaped distribution channel for behavior. When “skills” are partly code and partly instructions, the security boundary is porous: a malicious or subtly edited description can function as user-authorized prompt injection. The reported demonstrations—short triggers that affect discovery/selection rates, and evasion tactics like overflowing an LLM reviewer’s context window—suggest that purely automated scanning of skill text may be structurally brittle.
Why this matters more as agents become always-on
Google’s Gemini Spark pitch, as described by The Verge—cloud-based, 24/7, working across Google services and external partners—raises the stakes. Always-on agents are not episodic; they are persistent. Persistence amplifies three risks at once:
- Exposure time: a subverted skill or instruction set has more opportunities to trigger.
- Privilege accumulation: over time, users and admins grant more access to make the agent “useful,” increasing blast radius.
- Attribution complexity: long-running background behavior can blur what was explicitly requested versus what was opportunistic.
This is where the week’s stories converge: the supply chain risk is the reason identity and governance layers are moving from “best practice” to “budget line item.” If the control plane includes natural language, then security has to treat text as a privileged artifact—versioned, reviewed, policy-checked, and monitored in production.
Platform convergence: the agent becomes the interface, governance becomes the moat
The consumer narrative (“agents as digital coworkers”) and the enterprise narrative (“agents as operating system”) are converging on a common architecture: long-running agents embedded into suites, connected to many tools, and mediated by standardized connectors. The Times Square Chronicles commentary is not a primary technical source, but it reflects a real market reframing: agents are being positioned as an execution layer across business software rather than a chat feature.
The competitive implication is not that every vendor will build the smartest model; it is that vendors will compete on who can provide the safest, most governable autonomy across the most valuable integration surface area. Google’s approach—an always-on agent that spans Google services and partners—only becomes enterprise-credible when the surrounding control plane (identity, policy, audit, and tool governance) is equally mature. Databricks, by contrast, is explicitly productizing that control plane for enterprises, treating models, agents, and MCP servers as governable assets.
The absence of verifiable detail in the Times of India snippet that appears to reference a The Information story is instructive in its own way: much of the competitive dynamics in agent platforms will hinge on data access and integrations, but without primary detail, these claims cannot be responsibly assessed. What can be assessed from the available sources is that vendors are publicly building the scaffolding—governance and identity propagation—needed to safely exploit data and integrations at scale.
What This Means for the Agentic Economy
The agentic economy will not be limited by whether agents can perform tasks; it will be limited by whether organizations can afford to let them.
The evidence now shows that the total cost of agentic automation is becoming a three-part equation:
First, compute spend rises with usage, especially for always-on agents that monitor, plan, and act continuously rather than in discrete sessions (as framed in the Gemini Spark rollout). Second, identity and governance costs are becoming mandatory, as indicated by Omdia-linked budget shifts and by vendors extending identity-aware control and auditability to agents. Third, supply-chain assurance becomes an ongoing operating expense, because skills and tool connections can be subverted through natural-language surfaces that evade naive scanning, forcing more robust review, provenance, and runtime monitoring.
As a result, scalable production deployment will favor agent systems that can prove four things cheaply: who the agent is, whose authority it is using, what it touched, and why it chose the tool/skill it used. Vendors that reduce the marginal cost of those proofs—through built-in identity propagation, centralized policy, and high-fidelity logs—will make more workflows economically automatable than vendors who focus primarily on agent “IQ.”
The near-term shape of the agentic economy, therefore, looks less like an explosion of unconstrained autonomous workers and more like the institutionalization of “governed autonomy”: agents that are persistent and useful, but instrumented, permissioned, and auditable by default. That governance overhead is the price of admission—and increasingly, it is where durable advantage will accumulate.
Sources
https://www.theregister.com/ai-ml/2026/05/22/minor-edits-to-ai-skills-can-make-agents-go-rogue/5245413 https://www.theverge.com/ai-artificial-intelligence/934478/if-google-cant-make-ai-agents-useful-maybe-no-one-can https://www.databricks.com/blog/governing-ai-agents-scale-unity-catalog https://www.darkreading.com/identity-access-management-security/shifting-budget-dynamics-identity-security-ai-agents https://timesofindia.indiatimes.com/amp/technology/tech-news/ceo-of-europes-largest-software-company-sap-to-everyone-saying-ai-killed-software-ai-agents-dont-work-without-brain-and-this-brain-is-/articleshow/131257885.cms https://t2conline.com/ai-agents-are-becoming-the-new-operating-system-for-business-2/